Reproduces either (i) incomprehensible behavour or (ii) a critical bug in the Civic cookie control.

npm install
npm run dev

[If you don't use Node, just open index.html in some other local web server.]

• Open http://127.0.0.1:8080/
• Open the browser developer tools to see the console.
• The cookie control dialogue appears. Note that 'Analytical cookies' are 'OFF'.
• Click 'I accept'.
• Analytics accepted! is written to the console.

I do not expect to see this, because I have not accepted analytics. The "accepted" callback should not have been invoked.

The code is copied from the example code at https://www.civicuk.com/cookie-control/documentation. Additional cookie groups have been removed and a console.log line in each of the two callbacks instead of the Google Analytics initialisation and removal.

Additionally, the callbacks appear to be invoked every time a checkbox button is toggled. This breaks any normal UI convention and any reasonableness test for granting consent. I haven't consented to receive cookies until I click on the big 'I accept' button. I do not expect that toggling a checkbox would cause any immediate action to happen, let alone when there is a large form submission button unambiguously presented for that purpose.

Note I used the CDN code distribution as in the example, so this reproduction is not deterministic.